ironsh

ironsh / iron-sensor

Public

An eBPF-based behavioral monitor for AI coding agents.

43
3
100% credibility
Found Mar 25, 2026 at 43 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

iron-sensor is a Linux tool that monitors AI coding agents like Claude Code and Codex, logging their process spawns, file touches, and persistence attempts as structured events.

How It Works

1
🛡️ Discover iron-sensor

You hear about this handy watchdog while using AI helpers for coding and worry they might sneakily change things on your computer.

2
📥 Grab the ready program

Download the simple package from the latest release page with one quick click.

3
💻 Place it on your Linux machine

Copy the program to a folder like your tools directory and make it ready to run.

4
▶️ Turn on the watchdog

Run it once with special permissions, and it starts quietly watching every move your AI coding helpers make.

5
Choose your setup
🔍
Quick check

See live updates right on screen to spot issues immediately.

🔄
Always-on guard

Set it up to start automatically and save reports to a log file.

📊 See what's happening

Check your reports to know exactly what files AI agents touch or programs they start, keeping everything safe and under control.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 43 to 43 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is iron-sensor?

iron-sensor is an eBPF-based behavioral monitor for AI coding agents, built in C and Go. It detects agents like Claude Code, Codex, and OpenClaw on Linux systems, then tracks every process spawn, file open, and persistence attempt in their subtree, emitting NDJSON events for alerting and auditing. Like an iron detection sensor for coding agents, it catches risky moves such as cron writes or SSH key access without blocking workflows.

Why is it gaining traction?

Zero-overhead kernel tracing via eBPF delivers precise visibility into agent subtrees, with rules classifying behaviors like priv-esc (sudo), network tools (curl), or persistence (systemd units). YAML config tunes severity filters and outputs (rotating files or stdout), plus one-command systemd service setup. Developers love the structured events for quick integration with log aggregators, unlike bloated general monitors.

Who should use this?

DevOps engineers running AI coding agents on Linux workstations or CI servers. Security teams auditing Claude or Cursor sessions for backdoor risks. Solo devs using tools like OpenClaw who want behavioral logs without full EDR overhead.

Verdict

Deploy it today for AI agent oversight—prebuilt binaries, clear docs, and e2e tests make it production-ready out of the box. With 43 stars and 1.0% credibility score, it's immature but focused; extend rules as your needs grow.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.